Hi all,

I need to block all SSL traffic going to my Bro box. I was going to use BPF to accomplish this task using a zero source address and a port number. So something like this:

#Nothing from src host to dst port
!(src host []( && dst port 443) &&

Does that make sense and will it work? Do you all have any other ways to permanently filter traffic?

I think you meant to do…

(not src port 443 and not dst port 443)


Good call. Thanks.

If you’re anxious to avoid any SSL traffic based on port exclusions, you might consider other well-known ports - 587, 465, etc.


Would it be sufficient to disable the SSL analyzer? That way you don't have to play the port shell game, but you don't get an ssl.log or any SSL-related notices, if that's your concern.


I think just the amount of traffic coming in is my issue. So, I am trying to block things I can do little about. Hoping in vain that this will let me focus on the sloppy hackers and the low hanging fruit.

This is not my primary IDS so missing somethings is ok.

Just as a side note, there are some apps that will send clear text
over 443.. so you also won't be looking at those if you limit that

I think you meant to do

(not src port 443 and not dst port 443)

(A nit: that's equivalent to "not port 443". Nit #2: more correct would
be "not tcp port 443". The above will weed out UDP traffic that happens
to use 443.)